[OpenAFS-devel] linux keyrings, PAGs and KEY_ALLOC_IN_QUOTA

[Simon Wilkinson]

On 17 Mar 2010, at 08:35, Rainer Toebbicke wrote:
> On RHEL5 every sshd session holds at least one pag for root, so yes  
> as soon as there are 50 users logged in strange things happen. ssh  
> sessions as root would start to "share" tokens I suppose. Also,  
> there must be a reason why pam does a setpag as root and another one  
> as user: that corner case wouldn't be covered. Given that even with  
> the fix checking return codes programs would have to start checking  
> setpag()'s return code... and then what?

It's a bit more complex than this. What happens is that with every  
setpag we allocate two key objects. The first is a session keyring,  
which we allocate as the user performing the setpag, and is counted  
against their quota. The second is an object to contain the PAG, which  
is allocated as root so that a user can't change the PAG that they are  
in. Due to us failing to keep up with kernel interface changes this is  
counted against roots quota, but will still be created even if root is  
over quota.

So, if you're using a PAM module which calls setpag as the user, you  
won't see any problems until you try to call setpag as root. If your  
PAM module calls setpag as root, then you're going to hit a limit.  
Calling setpag twice in the same session (if there are modules that do  
so) won't be an issue, because the second setpag replaces the objects  
created by the first - the first setpag's objects will be garbage  
collected, and their quota counts refunded.

Simon.